Check That Certificate

Presented at BSidesLV 2015, Aug. 4, 2015, 2 p.m. (25 minutes)

Why are developers frequently disabling certification validation in their software? Is it because they are lazy or just plain imbecile? We decided to find out by writing examples to demonstrate certificate checking in as many languages as possible. We found that it was difficult to do properly in the best of libraries, and had catastrophic failure in anything less. There are even a few instances of the libraries built in functions getting it horribly wrong.

Presenters:

• Andrew Sorensen
  Andrew lives in Seattle, WA and works as a Security Consultant at Leviathan Security Group. Andrew is the creator of WLNet and LocalCoast, under which he develops software. Andrew holds a Bachelor's of Science in Computer Science and is most interested in new methodologies for solving computer security problems. In his spare time, Andrew researches different areas of security, works on his data and automation platform (WLNet Dataview) and tinkers with electronics.
• Jacob Jernigan
  Jacob Jernigan works for DigitalOcean on the support team where he ensures customers have the best support experience possible. Previously, he worked as a system administrator at a small information security consultancy. Outside of work, you will find him researching information security, learning programming, and cycling around the City of Seattle.

Links:

• https://bsideslv2015.sched.com/event/3vY0/check-that-certificate
• https://infocon.org/cons/Security BSides/BSides Las Vegas/BSides Las Vegas 2015/Check That Certificate Jacob Jernigan Andrew Sorensen.mp4

Similar Presentations:

• Black Hat Europe 2014 / SSL Validation Checking vs. Go(ing) to Fail
• Black Hat Europe 2019 / Chain of Fools: An Exploration of Certificate Chain Validation Mishaps